Closed diemkay closed 2 years ago
Thanks @diemkay please refer to this issue if you have any suggestions: https://github.com/artf/grapesjs/issues/3082
@artf Thanks, but I've already seen that ticket and it doesn't cover the issue I'm describing here.
The injection is not in Live Preview, it's in Style Manager, where it tries to display the id
of the component, by setting .innerHtml
.
Yeah sorry, closed too soon 😁. I'll try to fix for the next release.
@artf can you share a timeline for when the next release will be?
I hope to release it this week.
GrapesJS version
What browser are you using?
Chrome 97.0.4692.71
Reproducible demo link
https://jsfiddle.net/ovrz5ug2/4/
Describe the bug
Hi - we ran across this XSS vulnerability while using GrapesJS in a multiplayer type scenario, with several privileged users able to make changes to templates and components via the editor (i.e., non-devs). Effectively, this renders them vulnerable to an attack from within the organization, where one user adds malicious code, and a different one can come across it and run it.
How to reproduce the bug?
id
attribute, either directly in the HTML or via the trait manager (and save) - in this case,id="<details/open/ontoggle=alert(document.location)>
What is the expected behavior? No XSS via the component's attributes (including, but not limited to
id
).What is the current behavior? GrapesJS runs the malicious code.
If is necessary to execute some code in order to reproduce the bug, paste it here below:
If you have any tips or guidance, I could lend a hand with a PR.
Code of Conduct